I rarely see spam arriving in my email, due to the very good spam filters employed by both of the email services I pay for. But every now and again, something slips through.
This morning, I opened my mail program and found this in the junk folder:
This is a phishing attempt — a scam designed to get me to click that “Review & Secure your account” link and give away my email login information, or to land on a website that injects malware into my computer.
I have to give credit where it’s due; the social engineering on this is quite good. It’s simple and plays right into our (justifiable) fears about being hacked. It alarms the recipient with straightforward language. It provides an almost irresistible “easy fix” — just click that blue box and everything will be fine.
But it has a few telltale flaws that give it away.
The first sentence should read, “We detected something unusual about a recent attemptED sign-in…” or perhaps “…a recent attempt TO sign in…”
But this is pretty nitpicky, and perhaps no one but an editor would feel their eyeballs snap to it. Also nitpicky is the fact that normal business language does not include exclamation points (“…a malicious user might be trying to access your account!”). So let’s move on to the bigger giveaways.
2. No indication that this is from either company I pay to handle my email.
Good phishing attempts will try to fool a victim with a perfect company logo, usually of one of the big free services such as Gmail. Since I don’t use those, I’m hard to hit that way.
3. The scammer didn’t know that this email address is not an account.
It’s an alias — an email address that is tied to my account but is not the actual address of record for that account. I can change it at any time without affecting my real email address. I can have multiple aliases tied to the same account. And I do.
This is something I would strongly recommend for everyone. Most decent email services include aliases as an option, and they’re usually simple to set up. I always use an alias for online shopping, for instance. When the spam targeting that alias gets out of hand, I simply delete the alias and create a new one. BAM goes the spam, straight into a brick wall. The address it’s targeting no longer exists. But my account is untouched.
4. The link behind that tempting blue box is not my email service.
In fact, it’s not a service at all. It’s this (I have taken out the https and the .com parts to break the link):
daleshearer [dot] com.au/1/1/?email=[my email alias]
“.au” is the top-level domain for Australia. Did you know that Dale Shearer is a former professional rugby player in Australia? Somehow I don’t think he’s attempting to scam me, but someone is using his name to do so. Might be an inside joke, but it certainly doesn’t help the scammer.
There are several ways to view the address behind a link. In Apple Mail, I can hover my mouse over it to bring up a floating box that reveals the address. Some email clients will respond to a mouse-hover by showing the address in a status bar at the bottom of the window. Often, you can also right click the link to see a contextual menu from which you can choose “copy link.” You can then paste that onto a note, blank email, or open document. This is a few more steps, but it enables you to view the address in a safe place.
Always, always view the true address before ever clicking a link, no matter how official or “right” it might appear. And look closely at the revealed address. Not all of them are so obviously fake as this one. Many use the trick of incorporating a company name, but the full address will still have some giveaways in it, usually by being much longer than, say, “mail.google[dot]com/mail” (the actual URL for Gmail). It might be “mail.officialstuff.google.moreofficialstuff[dot]com” instead. Remember, the big companies pay for those short, easily-remembered addresses. If it’s not short and simple, it’s probably not real.
And that concludes today’s public service announcement. Let’s be careful out there!*
* gratuitous Hill Street Blues reference